Within the field of computing, many scenarios involve an execution of an application in various contexts (e.g., an application natively executing on a device, or managed by a runtime; an application executing within a virtual environment of the device, such as within a web browser; and an application executing remotely on a server and communicating with the user through a user interface rendered on a device). A particular context that is an area of contemporary focus is locally executing web applications, e.g., applications coded as web content (e.g., JavaScript and HTML 5) that may be executed without the encapsulating user interface of a web browser, thus resembling a native application but executing within the virtual environment of a web browser.
However, such software includes malware, comprising applications that perform activities that are undesirable to the user, such as corrupting the computing environment by deleting files; sending personal information of the user (e.g., authentication credentials and financial information) to another party; enable control of the device by another party, e.g., as part of a botnet; and/or spreading to other devices operated by the user or other users. Many techniques may be utilized to identify and mitigate the acquisition, distribution, and effects of malware. As a first example, application binaries may be scanned for identifiers of malware (e.g., resources or segments of code that often appear within a particular type of malware) prior to executing the application binary. However, many forms of malware avoid detection in this manner by encrypting such resources or segments of code; rendering code in a polymorphic manner that may take many forms but may achieve the same result; or hiding malicious executable code in non-code resources that are not scanned by malware detectors (e.g., hiding code within an image bitmap). As a second example, the device may monitor the utilization of local resources by respective processes; e.g., a process that is utilizing a large amount of memory or bandwidth may be identified for further evaluation by the device or by malware analysts. However, such monitoring may not be highly diagnostic; e.g., many legitimate processes may use large amounts of memory and/or bandwidth, while some processes comprising malware may maintain a low profile by using only modest amounts of memory or bandwidth. As a third example, the device may detect particular behaviors of respective processes that are often exhibited by malware; e.g., the device may detect an attempt to redirect keyboard input in a covert manner, to install other applications without the consent of the user, or to execute code in a non-code resource. However, some forms of malware may achieve malicious results through behaviors that appear to be legitimate.